Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DO NOT MERGE: OCI ImageDestination #102

Closed
wants to merge 10 commits into from
Closed

DO NOT MERGE: OCI ImageDestination #102

wants to merge 10 commits into from

Conversation

runcom
Copy link
Member

@runcom runcom commented Jun 14, 2016

This doesn't do much except 90b7bdd which moves manifest utils to a top level pkg.

The rest implements OCI ImageDestination which basically outputs to a directory following https://github.com/opencontainers/image-spec/blob/master/image-layout.md

Note that the OCI image spec it's still WIP itself.

This is still WIP but I greatly appreciate any comment @mtrmac (there are some ugliness just to make this work so don't bother about them I will fix it of course, I'd like to have an impression on the direction first)

It's already kind of working (expect reference naming which has an issue upstream as well):

$ ./skopeo copy docker://docker.io/fedora oci:docker.io/fedora
INFO[0001] Downloading library/fedora/blobs/sha256:8b53fe19c255ee721e5b2441b8469fc01a6324e8564de89bf8485387b34f95e6 
INFO[0045] Downloading library/fedora/blobs/sha256:a20665eb1fe2912accb3d5dadaed360430df0d1aa46874875886947d61d3d4ee 

$ tree docker.io/fedora 
docker.io/fedora
├── blobs
│   ├── sha256-8b53fe19c255ee721e5b2441b8469fc01a6324e8564de89bf8485387b34f95e6
│   ├── sha256-a20665eb1fe2912accb3d5dadaed360430df0d1aa46874875886947d61d3d4ee
│   └── sha256-fdf695e9003ee97fcec524f3f6c5aa70a32b256eab051a6f1cb621b7cf77352a
├── oci-layout
└── refs
    └── TODO

2 directories, 5 files

@runcom
Copy link
Member Author

runcom commented Jun 14, 2016

/cc @vbatts @rhatdan

the final directory isn't compressed or anything else because that's still missing definition in the spec from what I've understood

@runcom runcom force-pushed the oci-2 branch 4 times, most recently from dcea9d0 to bb74d94 Compare June 14, 2016 12:03
@@ -10,19 +10,31 @@ import (

// FIXME: Should we just use docker/distribution and docker/docker implementations directly?

// FIXME(runcom, mitr): should we havea mediatype pkg??
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don’t quite feel we need to have a separate package for everything. Sure, use packages to simplify dependencies and avoid loops and have clear separation between transports, conversions and signatures, and from time to time to simplify the callers’ notation to avoid too many words in a symbol reference, but at some point adding a complex difficult-to-navigate package structure could make understanding more difficult instead of simpler.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@mtrmac
Copy link
Contributor

mtrmac commented Jun 14, 2016

  • In mtrmac/skopeo:verify-on-pull I have already moved the layer parsing out of copy.go; it would be good to integrate this here. Shall I separate that part of the verify-on-pull branch into a separate, immediately mergeable, PR?
  • Moving skopeo/docker/utils to skopeo/manifest: sure, why not; but when dropping the Manifest part of function names, it would read cleaner to keep the module reference as manifest.Digest instead of mutils.Digest. etc.


func (d *ociImageDestination) PutSignatures(signatures [][]byte) error {
// TODO
return nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this TODO comment is not a short-term thing, the method should return an error instead of silently throwing away data.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but wait, then skopeo copy can't work well because it always error out on failed to upload signatures. any idea?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if len(signatures) != 0 { return $someError }.

At the moment images with signatures are nonexistent, so the above would work well enough. Later we will need a skopeo copy --drop-signatures.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

alright, that makes sense, wasn't sure about that

@runcom
Copy link
Member Author

runcom commented Jun 14, 2016

In mtrmac/skopeo:verify-on-pull I have already moved the layer parsing out of copy.go; it would be good to integrate this here. Shall I separate that part of the verify-on-pull branch into a separate, immediately mergeable, PR?

would be cool - pls do if you can

Moving skopeo/docker/utils to skopeo/manifest: sure, why not; but when dropping the Manifest part of function names, it would read cleaner to keep the module reference as manifest.Digest instead of mutils.Digest. etc.

right the issue here is that we have so many vars called manifest - I'll see if I can replace them all

@mtrmac
Copy link
Contributor

mtrmac commented Jun 14, 2016

In mtrmac/skopeo:verify-on-pull I have already moved the layer parsing out of copy.go; it would be good to integrate this here. Shall I separate that part of the verify-on-pull branch into a separate, immediately mergeable, PR?

would be cool - pls do if you can

#103 .

@runcom
Copy link
Member Author

runcom commented Jun 14, 2016

@mtrmac PTAL while I import #103 here after merged

func NewOCIImageDestination(dir string) (types.ImageDestination, error) {
// oci dest follow docker's one - parse those here
// there's no clear direction on naming though but since image-spec is WIP just assume this for now..
ref, tag, err := parseDockerImageName(dir)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mtrmac this is important but I guess it's fine as it is right now :(

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general paths are not valid Docker Image Names; Is even /home/mitr/some-dir valid? /home/mitr/I_LIKE_CAPS/some_dir definitely isn’t valid.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right, that's why we error out if the destination name in oci:docker.io/fedora isn't a valid reference.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAICS d.ref is only used for FullName (i.e. to turn it back into a string), this seems not worth all the effort; just find the last : and split into directory + tag?

(Have I ever mentioned that I hate mini-languages and strings and in-band signalling in general, a tiny bit? :) Yeah yeah, we can’t avoid strings for command line.)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Have I ever mentioned that I hate mini-languages and strings and in-band signalling in general, a tiny bit? :) Yeah yeah, we can’t avoid strings for command line.)

haha now I know it

AFAICS d.ref is only used for FullName (i.e. to turn it back into a string), this seems not worth all the effort; just find the last : and split into directory + tag?

was smelling to me as well - I'll do it

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just find the last : and split into directory + tag?

how do we make sure directory is valid? valid as in docker.io/fedora for instance, I think we should require oci: prefix to enforce a valid destination, or not?

@mtrmac
Copy link
Contributor

mtrmac commented Jun 14, 2016

Copying to preserve:

I guess PutManifest would really benefit from a MIME type parameter.

but should that parameter match the actual mime type in the manifest bytes? otherwise, it's just asking to covert bytes to the correct manifest right?

Yes; conversion, if any would happen in the caller. And the caller may not know the manifest type either (see GetManifest). But if the caller does know, it seems a bit pointless, and potentially dangerous, to throw that away and guess.

Right, we'll figure that out once I actually come here and hack on this TODO, can you move those comments in the main PR page instead of per commit? (sorry I don't want to lose them once I push force :()

@runcom runcom force-pushed the oci-2 branch 2 times, most recently from ca327a8 to 947cc0e Compare June 14, 2016 16:52
@runcom
Copy link
Member Author

runcom commented Jun 14, 2016

@mtrmac fixing latest stuff before trying to merge with #103 :)

Does it look relatively good to go and try to merge with #103? Otherwise, I though about merging this as is and I'll follow on carrying #103 and adapting it for OCI - just so we have some OCIness into skopeo master, does this sound resonable?

@runcom runcom force-pushed the oci-2 branch 6 times, most recently from ab5cba6 to c3be1ba Compare June 15, 2016 12:27
if err := d.ensureParentDirectoryExists("refs"); err != nil {
return err
}
// TODO(runcom):
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the only big todo left

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mtrmac ptal at the last commit

func (d *ociImageDestination) ensureParentDirectoryExists(parent string) error {
path := filepath.Join(d.dir, parent)
if _, err := os.Stat(path); err != nil && os.IsNotExist(err) {
if err := os.MkdirAll(path, 0700); err != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use 0755 perhaps? This is using 0700, and files within these directories are created using 0644. They don’t have to be consistent (the 0700 on the directory prevails) but it would be nice for them to be.

@mtrmac
Copy link
Contributor

mtrmac commented Jun 24, 2016

@mtrmac PTAL - I've added 2 more commits after rebasing

Read this line by line, that should be all.

@runcom
Copy link
Member Author

runcom commented Jun 24, 2016

On it, thanks a lot

@runcom
Copy link
Member Author

runcom commented Jun 25, 2016

@mtrmac test failures seems related?

@runcom runcom force-pushed the oci-2 branch 2 times, most recently from 6328231 to 49c2d26 Compare June 26, 2016 11:48
@mtrmac
Copy link
Contributor

mtrmac commented Jun 27, 2016

@mtrmac test failures seems related?

Yeah; without actually placing any breakpoints in, it seems that this changes the manifest we get from the Docker Hub from v1s1 to v2s2, and the OpenShift registry does not support v2s2 and rejects it. Oops.

A short-term fix would be to either find s1-only images hosted on the Docker Hub (do they exist, or have they converted everything to s2?), or perhaps to modify the tests to pull some local images (fixtures?) from any one of the 3? in-container Docker registries instead of relying on the Docker Hub (which would be nice anyway).

Longer-term, we absolutely need to figure this out. I suppose it is easy enough to add SupportedDestinationMIMETypes to an ImageDestination, and to backpropagate that information through Image (which would need a new parameter) to ImageSource (which already supports it in GetManifest).

(It is also conceptually really awkward; a tagged Docker Reference, even if not retagged, does not specify a unique image, you can get something completely different depending on what destination you want to store the image in. sigh, no helping this now, I suppose.)

for _, layer := range m.Layers {
blobs = append(blobs, layer.Digest)
}
blobs = append(blobs, m.Config.Digest)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to sort this out before moving to containers/image - so when a v2s2 manifest is retrieved and we look for layers I'm appending the config digest here because it's needed (as it was in v2s1, but v2s1 had the config embedded into the manifest itself) so now we have to retrieve the config somehow. Would it be better by adding a Config() to the generalManifest interface? or is this ok? /cc @mtrmac

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nvm tried a fix into containers/image#19

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, see the conversation around containers/image#19.

@runcom
Copy link
Member Author

runcom commented Jun 28, 2016

I'll keep this open until we merge:

containers/image#19
containers/image#17

after those are merged, I'll split the OCI bits to containers/image and refactor code here

@mtrmac
Copy link
Contributor

mtrmac commented Jun 28, 2016

containers/image#17 / containers/image#19 as it is now does not, AFAICS, fix the integration test failures (pulling s2 from Docker Hub and trying to save it into OpenShift, which only supports s1).

@runcom
Copy link
Member Author

runcom commented Jun 28, 2016

they don't I'm just tracking progress in containers/image to go forward with this one

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
@runcom
Copy link
Member Author

runcom commented Jun 28, 2016

eah; without actually placing any breakpoints in, it seems that this changes the manifest we get from the Docker Hub from v1s1 to v2s2, and the OpenShift registry does not support v2s2 and rejects it. Oops.

A short-term fix would be to either find s1-only images hosted on the Docker Hub (do they exist, or have they converted everything to s2?), or perhaps to modify the tests to pull some local images (fixtures?) from any one of the 3? in-container Docker registries instead of relying on the Docker Hub (which would be nice anyway).

right, using images with v2s1 only manifests should fix the test - I just pushed to test my fix out

@runcom runcom changed the title OCI ImageDestination DO NOT MERGE: OCI ImageDestination Jun 28, 2016
@runcom
Copy link
Member Author

runcom commented Jun 28, 2016

right, test passed but we should look forward to fix this as you described in #102 (comment)

@mtrmac
Copy link
Contributor

mtrmac commented Jun 28, 2016

right, test passed but we should look forward to fix this as you described in #102 (comment)

Good to confirm that this is the culprit; if this is fixed, it would be nice to revert to using the library/ images again so that we can have confidence in this working for the common users and uses.

@runcom
Copy link
Member Author

runcom commented Jun 28, 2016

Right, we still have to fix the underlying issue though :( taking care of this tomorrow probably

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

dest, err := parseImageDestination(context, context.Args()[1])
if err != nil {
return fmt.Errorf("Error initializing %s: %v", context.Args()[1], err)
}
signBy := context.String("sign-by")
src := image.FromSource(rawSource, dest.SupportedImageDestinationMIMEType())
Copy link
Contributor

@mtrmac mtrmac Jun 29, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yay, it works! Stylistically it would be a bit more readable to do all of dest first and source second, then, so that we have a clear, simple dest paragraph and src paragraph.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 will do it after we merge containers/image#26 and do the full rebase here

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants